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Security Data Lake and 
Analytics Cloud Platform 


Dilip Bachwani 
Senior Vice President, Engin 
Gualys, Inc. 


Cloud Platform Evolution 


Growing portfolio with 19+ apps 
Cloud Agent driving product adoption 


Organically built multi-petabyte data 
lake 


Better cross-product and third-party data 
correlation... 
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Data Lake and Security Analytics Goals 


Provide a coherent and actionable view of your E xus C 
security posture by breaking down security data | | | | 


silos oa _ 


uT— 


Coalesce all data into a centralized highly scalable " E 
security data lake C= y 
Combine and enrich Qualys generated findings | 


with third party signals 


— 
— 


Leverage the strength of Oualys Cloud Platform, 
Cloud Agent and Apps to build a comprehensive 
security analytics platform 
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Security Analytics Use Cases 


Real-time streaming correlation and analytics 
with out-of-box rules 


Out-of-band batch analytics over historical data 


Ad-hoc querying and threat hunting on enriched 
and security aware data sets 


Advanced analytics use cases using machine 
learning 


Y 


Orchestration with playbooks 


Response and endpoint protection 
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Advanced Correlation and Analytics 


ML/AI Service Orchestration & Automation UEBA 
Patterns | Outlier | Predictive SoC Integration | Playbooks | Response User & Entity Behavior Analytics 
Threat Hunting Security Analytics Advanced Correlation 
Search | Exploration | Behavior Graph Anomaly | Visualization | Dashboard Actionable Insights | Out-of-box Rules 


Qualys Security Data Lake Platform 


Data Ingestion | Normalization | Enrichment | Governance 
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Network Firewall Server End Point Qualys Apps Apps Cloud Users loT 


Qualys Quick Connectors 
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Correlation and Data Platform Architecture 


Qualys Apps 
E (0) (9) ws 
Hea 
bs (o) (8t) 


Third Party 
Sources 
[e] © 2 


Apps  Firew Users 
all 


e'e 
loT Cloud IPS 


i 


i 


Qualys Streaming Data Backbone 


Normalization and Enrichment 


Real-time Stream Processing 


Batch 
Processing 


Yv 


Security Data 
Lake 


2m . 
oe *,* elastic 
cassan dra 
(o JanusGraph 
El amazon 
$3 


Machine 
Learning 


4— 


Visualization 


Threat 
Hunting 


Orchestration 
Automation 


APIs 
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Threat Actor Threat Actor IT Infra Security 
targets webserver Could NOT exfiltrate Events Infra Events 


with known vuln the sensitive info 


CVE-2018-7600 
(Drupalgeddon2) 


Continuous Logging from Qualys Apps and 39 Party 


Passive Sensor 
=> Logs outbound => 


: Correlation Threat 
C&C traffic Engine Storyline SOAR 
Threat Actor 
Steals credential by Behavioral Analytics across MITRE ATT&CK stages 
using Mimikatz and logs 
into domain controller J Next-Gen Analytics, Data Lake and Orchestration 
Cloud Agent 
Detects & Log 
E d IOC detects Login activity P D 
EE => post exploit tool, 
A correlate to © GE SOC Analyst 
Mimikatz : Can stop attacks 
Eu Exploited 
Emergency before data 
exfiltration 


Patch applied 


Initial Access Execution Privilege SERES oon Discovery pens Collection Exfiltration 
Escalation Evasion Access Movement 


MITRE ATT&CK Stages 
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€— New Event Source 


3439 


Sources 


SIEM 

IBM QRADAR 40 
Splunk 23 
FIREWALL 

Palo Alto 5 
Cisco ASA 3 
CLOUD SERVICES 

0365 2 
SalesForce 1 
END POINT 

Qualys Cloud Agent 1279 
Symantec AV 760 
McAfee ePO 1250 
VM 

Oualys VM 1 
3rd Party VM 0 
FIM 

Qualys FIM 1 
3rd Party FIM 0 
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Event Source Catalog 


Apps help you get started gaining insights from your data source by providing example searches and dashboards for common use cases. 


Feel free to edit them as you need to get the results you want. 


ED paloalto 


Palo Alto Firewall 
Configured - 


Mar 12, 2019 
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Qualys VM 


Mar 12, 2019 


Mar 12, 2019 


SF 


Salesforce Cloud Services 
Configured - 


Mar 12, 2019 
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Qualys Log Collector 
Configured - 


Mar 12, 2019 


imperva 


WAF 


Mar 12, 2019 
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ajiaji 
cisco 
Palo Alto Firewall 
Configured - 


Mar 12, 2019 


Microsoft AD 


Mar 12, 2019 


DDOS 
| Configured - nfigured 


Mar 12, 2019 


0365 


0365 Cloud Services 
Coming Soon. 


splunk> 


Splunk SIEM 
Configured - 


Mar 12, 2019 


Blue&Coat 
Web Proxy 
Configured - 


Mar 12, 2019 


OR 


QRadar SIEM 


Mar 12, 2019 


SMOKESCREEN 


Decoy/ Deception 


Mar 12, 2019 
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Security Data Lake 


262 


Techniques 


STATUS 


In use 
Available 


TACTICS 


Initial Access 
Execution 
Persistence 
Privilege Escalation 
Defense Evasion 
Credential Access 
Discovery 

Lateral Movement 
Collection 
Exfiltration 
Command and Control 


LOG SOURCES 


lissing 
stalled 


82 
180 
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DASHBOARD THREAT MANAGEMENT 


Q Search 


STATUS 


Available 


Available 


Available 


Available 


Available 


Available 


T1190 


T1182 


T1214 


T1075 


T1214 


ADVANCED ANALYTICS INVESTIGATE 


TECHNIQUE 


Drive-by Compromise 


A drive-by compromise is when an adversary gains access to a system through a user 
visiting a website over the normal course of browsing. With this technique, the user's... 


Exploit Public-Facing Application 


The use of software, data, or commands to take advantage of a weakness in an Internet- 


facing computer system or program in order to cause unintended or unanticipated... 


AppCert DLLs 


Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry 
key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager... 


Credentials in Registry 
A drive-by compromise is when an adversary gains access to a system through a user 
visiting a website over the normal course of browsing. With this technique, the user's... 


Pass the Hash 


A drive-by compromise is when an adversary gains access to a system through a user 
visiting a website over the normal course of browsing. With this technique, the user's... 


Credentials in Registry 


A drive-by compromise is when an adversary gains access to a system through a user 


vicitinn a wahcito aver tha normal cource of hraweinn With thie taechninie tha ricor'e 


RULES REPORTS CONFIGURATION 


Search Options w 


Last 30 days v 
© B i Q 
TACTIC DATE CREATED 
Initial Access Jan 01, 2018 
Initial Access Jan 01, 2018 


Persistence, Privilege 


Escalation 


Credential Access 


Lateral Movement 


Credential Access 


Jan 01, 2018 
Jan 01, 2018 
Jan 01, 2018 


Jan 01, 2018 
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Rule Editor 


THREAT INTELLIGENCE 
Configure and Activate Threat Intellignece Mapping Gr» 


Rul ; " 
eias Threat Intelligence Matching enables the system 


Possible Exploit Kit Detected to match a signal with the Threat 
Intelligence data being made available by 
Description international organizations. 


A drive-by compromise is when an adversary gains access to a system through a user 
visiting a website over the normal course of browsing. With this technique, the user's 
ADAPTIVE RESPONSE 


Rule Conditions Send Email cx») 
Send to 
Criticality Timeframe Time Unit Kunal Modasiya v 
Select Option Y Select Option Y Select Option  * 
Send Syslog Alert (3rd party tools) Gx» 
y Connections Syslog 
mysyslogfile.here v 
Stream Field Stream Field 
Select option v Select option v Select option ¥ Select option v Run Custom Script Gx» 
Custom script 
mycustom.script.goes.here ¥ 
Stream 1 having username = Stream 2 having user log e 
y Stream 1 Remove 
Log Source Occurance 
Select Option M Select Option M 
Group by Differ by 
Select Option v Select Option v 
Group Remove 
OR Y 
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Security Analytics 


Threat Management 


DASHBOARD THREAT MANAGEMENT ADVANCED ANALYTICS 


Threat Hunting Overview h 


SIGNALS BREAKDOWN BY MITRE ATT&CK STAGES 


27 a3 


Initial Access 


33 «5 


Execution 


18: 


TOP 10 SIGNALS BY MITRE TACTICS AND 


TECHNIOUES 


P 


TECHNIQUE 
Drive-by Compromise 


Brute Force 


Data Transfer Size 
Limits 


Data from Info 


Sas 


Privilege 


Pine Escalation 
L| 
442 roti 
@ High 244 
€ Medium 100 
@ Low oR 
TACTIC SIGNALS 
Initial Access 72 
Credential 66 
Access 
Exfiltration 52 
Persistence 50 
Lateral 50 
Movement 
Discovery 38 
Lateral 36 
Movement 
Credential 33 
Access 
Collection 28 


12 4s 


Defense 
Evasion 


24: 3 


Credential 
Access 


TOP 10 TRIGGERED/NOTABLE USERS BY 


SIGNALS COUNTS 


USERNAME 


suneetha routhu 


guays_ur5 


Shailesh Athalye 


quays.sa1 


Kunal Modasiya 
kunalm. quays123 


Abhijit Joshi 


abhs 321 


Hari Srinivasan 
harstar-76 


_mbsetupuser 


mb_doogg 


robertswanson 
rs_rs2019 


root 


rs_s82019 


LOCATION 


Foster City, CA 


Pune. India 


Foster City, CA 


Pune, India 


Foster City, CA 


Foster City, CA 


Foster City, CA 


Shanghai, China 


INVESTIGATE RULES REPORTS CONFIGURATION 2 QO 


19 ss 


Laterral 
Movement 


22 +s 


13 +: 


i Collection I Exfiltration 


Last 30 days 


TOP 10 TRIGGERED/NOTABLE ASSET/HOSTNAME 


BY SIG 


RISK 


NALS COUNTS 


t 


ASSET NAME 


emily-pc 
130568187 


10.10.35.242 
10.10.35.242 


com-rhel70x64.... 
10.10.35.241 


10.10.31.129 
10.10.31.129 


10.10.30.37 
10.10.30.37 


102354mbp15.lo... 


10.01.91, fe80.0 


i-03ef90e7b729... 


17231373 


PCDemoEC2-SA 
172.31.28.41 


Command & 
Control 
677 Tom 
e. 324 
& Medium 181 
@ Low 172 
os SIGNALS 
Red Hat 134 


Enterprise Linux 


AIX 5.x / AIX6x 111 


Mac OS X 94 
Windows 10 91 
Enterprise 

Windows 10 88 
Enterprise 

Ubuntu Linux 82 
17.04 

Linux 72 
Microsoft 66 
Windows 


23 vi2 
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Security Analytics - Milestone Timelines 


2020 : 2021 


April 2020 - Milestone 2 (Alpha) Nov 2020 - Milestone 4 (GA) 
Adv Correlation Engine UEBA, Threat Hunting 
MITRE ATT&CK Analytics Data Analytics 
Connector Library 50+ Connector Library 
Nov 2019 - Milestone 1 Aug 2020 - Milestone 3 (Beta) 
Demo at QSC SIEM Connectors 
Adv Correlation Engine Incident Response 


Real-Time Context Enrichment 
Alert Triage, Investigation & 
Prioritization 
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Thank You 


Dilip Bachwani 
dbachwani&egualys.com 


